impact of cyber crime on the trust on ecommerce · 2 ebay inc. confidential trust is a critical...
TRANSCRIPT
Impact of Cyber crime on the Trust on Ecommerce Asia Pacific and China CERT CC 2006 Conference
30 March 2006
2 eBay Inc. confidential
Trust is a Critical Element to the Growth of eCommerce
eCommerce
• Trading Platforms like eBay
• Internet Banking like Citibank, Bank of China, PayPal
Cyber crime and Public Insecurity
• Media coverage of theft of data, internet crimes, botnets, spyware, etc
• Lack of Awareness of online safety and computer system security
Concerns of the Public Community
• Data privacy
• Theft of financial information
3 eBay Inc. confidential
Seller Fraud
• Account Takeover thru PHISHING
• SPAM Soliciting off-site deals
• Fake Escrow Sites
• Non-Performance of Transactions (False Listings)
• Fraudulent Misrepresentations
Our Concerns: Key Fraud Schemes
Top 4 fraud schemes are phishing-related
4 eBay Inc. confidential
Why is eBay and PayPal a target Phishing
• eBay – Open, global Marketplace with over 180 million users
• PayPal – Global Payment Platform with over 80 million users
• Phishing– Direct financial impact on our members– Erodes Trust in eBay and Paypal– Erodes Safety perception of the Internet
• Phishing is a very cost effective enterprise and is empowering criminal groups to build bigger networks
• It‘s is necessary to combine efforts from Law Enforcement agencies,Governments, Internet players and ISPs to fight this issue and strengthen our ability to respond to the next issue.
5 eBay Inc. confidential
Phishing Sites in Asia Pacific Region – March 13-19
Countries Number of PhishingSites
Korea 87
China 75
India 25
Thailand 25
Japan 9
Chinese Taipei 18
Australia 4
Hong Kong 5
Malaysia 3
Singapore 2
6 eBay Inc. confidential
Reported spoof sites – up 400% + YoY
Source: Anti-Phishing Working Group
7 eBay Inc. confidential
Source: Anti-Phishing Working Group
Reported spoof sites – Hosting countries
8 eBay Inc. confidential
China Construction Bank - Shanghai March 9, 2006
http://202.96.226.225/.www.eBay.com/sign-in.html?.ebay.com/ws/eBayISAPI.dll?SignIn&co_partnerId=2&pUserId=&siteid=0&pageType=&pa1=&i1=&bshowgif=&UsingSSL=&ru=&pp=&pa2=&errmsg=&runame=&ruparams=&ruproduct=&sid=&favoritenav=&migrateVisitor=
9 eBay Inc. confidential
Fake Companies are Created as well (escrow)
10 eBay Inc. confidential
What are we doing
•Social Response
•Technical Response
•Legislative Response/Judicial Response
11 eBay Inc. confidential
Social Response
• On site Education:– eBay Spoof hub and Security Center– eBay European Antiphishing Campaign– PayPal’s communication efforts regarding security
• Off site education– http://www.getsafeonline.org/ and similar initiatives – Educating Police and Gov’t
12 eBay Inc. confidential
Education and Transparency Tutorials
• Step-by-step lessons in areas such as Spoof
13 eBay Inc. confidential
Education & Awareness Onsite & DM Campaigns
14 eBay Inc. confidential
http://pages.ebay.co.uk/safetycentre/index.html
15 eBay Inc. confidential
••
PayPal Security Center Website
16 eBay Inc. confidential
•
Identity Protection Checklist
17 eBay Inc. confidential
•
Identify Theft Victims GuideWhat to do if you are a victim of identity theft
•
18 eBay Inc. confidential
Technical Response
• Toolbar/My Messages
• Proactive Detection (risk models, Site Ops)
• Communication policy changes
• Spoof Handling team
• Internal detection System/reporting– Preventative measures in detecting unauthorized access/spoof
[email protected] and [email protected] addresses– Toolbar reporting system
• Working with email hosting services to find ways for them to not deliver email that only appears to be from eBay/PayPal
• Phish Report Network – browsers/ISP’s don’t allow people to get to Phishing sites
19 eBay Inc. confidential
1
Toolbar with Account Guard
• Our primary tool to help users• protect themselves against spoof• websites
• How it works:• Account Guard turns green when on
eBay or PayPal sites
• Account Guard turns red when on identified spoof sites
• Pop up alerts user before allowing them to proceed
• Password protection alerts user when about to enter their eBay or PayPal passwords on other websites
2
3
4
Site does not have to be fraudulent
20 eBay Inc. confidential
Toolbar Turns Red
21 eBay Inc. confidential
Legislative/Judicial Response
• Working closely with Law Enforcement, Gov’t and ISPs
Past and current initiatives:• Phish Report Network – browsers/ISP’s don’t allow people to get to Phishing
sites• Training to LE and Prosecutors• Attending Working groups with Gov’t to help defining the issue and support
action plan• Work with Internet Provider Association to gain ISP support• Affidavits sent to ATO victims to facilitate reporting• Build network to get support in spoof escalations and reduce takedown timeLonger term objective:• Support Anti-phishing laws and harmonization across the countries• Raise Industry, LE Gov’t awareness on this issue• Get the relevant industry partners aboard• Gain stronger support from ISP industry
22 eBay Inc. confidential
Japan – Engineer Arrested
23 eBay Inc. confidential
First Arrest in a Phishing Case in India
24 eBay Inc. confidential
Conclusion
Partnership
• Public Awareness Campaign
• Police and Govt Awareness Campaign
• Uniform standards and guidelines on internet and computer system security across all industry
25 eBay Inc. confidential
A new hobby for Dilbert a big issue for the Industry
26 eBay Inc. confidential
Thank You
Michael Pak
eBay, Asia Pacific
Trust and Safety Department
Mob: +8211-713-2252
Skype id: pak1811